From 59b17c77f4ed93d10b298ec86840b114cedf6df1 Mon Sep 17 00:00:00 2001 From: wittemann Date: Mon, 24 Oct 2011 11:29:19 +0200 Subject: [PATCH 1/6] Modified the get method to support more than one element in the template stored in the dom. --- mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre index a70d0a4..42b3767 100644 --- a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre +++ b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre @@ -105,15 +105,29 @@ qx.Class.define("qx.bom.Template", { * @return {DomNode} A DOM element holding the parsed template data. */ get : function(id, view, partials) { + // get the content stored in the DOM var template = document.getElementById(id); var inner = template.innerHTML; - + + // apply the view inner = this.toHtml(inner, view, partials); - + + // special case for text only conversion + if (inner.search(/<|>/) === -1) { + return inner; + } + + // create a helper to convert the string into DOM nodes var helper = qx.bom.Element.create("div"); helper.innerHTML = inner; - return helper.children[0]; + // use a document fragment to return more than one note + var docFragment = document.createDocumentFragment(); + for (var i = helper.childNodes.length - 1; i >= 0; i--) { + qx.dom.Element.insertBegin(helper.childNodes[i], docFragment); + }; + + return docFragment; } } }); From be94fda74f3132744e818f21d20a2316cf697d50 Mon Sep 17 00:00:00 2001 From: wittemann Date: Mon, 24 Oct 2011 16:22:33 +0200 Subject: [PATCH 2/6] Changed the qooxdoo pre template back to the way it was. --- mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre index 42b3767..bc3ea7f 100644 --- a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre +++ b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre @@ -97,7 +97,8 @@ qx.Class.define("qx.bom.Template", { * Helper method which provides you with a direct access to templates * stored as HTML in the DOM. The DOM node with the given ID will be reated * as a template, parsed and a new DOM node will be returned containing the - * parsed data. + * parsed data. Keep in mind to have only one root DOM element in the the + * template. * * @param id {String} The id of the HTML template in the DOM. * @param view {Object} The object holding the data to render. @@ -108,26 +109,20 @@ qx.Class.define("qx.bom.Template", { // get the content stored in the DOM var template = document.getElementById(id); var inner = template.innerHTML; - + // apply the view inner = this.toHtml(inner, view, partials); - + // special case for text only conversion if (inner.search(/<|>/) === -1) { return inner; } - + // create a helper to convert the string into DOM nodes var helper = qx.bom.Element.create("div"); helper.innerHTML = inner; - - // use a document fragment to return more than one note - var docFragment = document.createDocumentFragment(); - for (var i = helper.childNodes.length - 1; i >= 0; i--) { - qx.dom.Element.insertBegin(helper.childNodes[i], docFragment); - }; - - return docFragment; + + return helper.children[0]; } } }); From 0cc140c52c82e3dfcf07a75213ec656116320d90 Mon Sep 17 00:00:00 2001 From: wittemann Date: Mon, 24 Oct 2011 11:29:19 +0200 Subject: [PATCH 3/6] Modified the get method to support more than one element in the template stored in the dom. --- mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre index a70d0a4..42b3767 100644 --- a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre +++ b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre @@ -105,15 +105,29 @@ qx.Class.define("qx.bom.Template", { * @return {DomNode} A DOM element holding the parsed template data. */ get : function(id, view, partials) { + // get the content stored in the DOM var template = document.getElementById(id); var inner = template.innerHTML; - + + // apply the view inner = this.toHtml(inner, view, partials); - + + // special case for text only conversion + if (inner.search(/<|>/) === -1) { + return inner; + } + + // create a helper to convert the string into DOM nodes var helper = qx.bom.Element.create("div"); helper.innerHTML = inner; - return helper.children[0]; + // use a document fragment to return more than one note + var docFragment = document.createDocumentFragment(); + for (var i = helper.childNodes.length - 1; i >= 0; i--) { + qx.dom.Element.insertBegin(helper.childNodes[i], docFragment); + }; + + return docFragment; } } }); From 53e49cfc76f2493d3123e055e6d761c571c53e11 Mon Sep 17 00:00:00 2001 From: wittemann Date: Mon, 24 Oct 2011 16:22:33 +0200 Subject: [PATCH 4/6] Changed the qooxdoo pre template back to the way it was. --- mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre index 42b3767..bc3ea7f 100644 --- a/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre +++ b/mustache-qooxdoo/qooxdoo.mustache.js.tpl.pre @@ -97,7 +97,8 @@ qx.Class.define("qx.bom.Template", { * Helper method which provides you with a direct access to templates * stored as HTML in the DOM. The DOM node with the given ID will be reated * as a template, parsed and a new DOM node will be returned containing the - * parsed data. + * parsed data. Keep in mind to have only one root DOM element in the the + * template. * * @param id {String} The id of the HTML template in the DOM. * @param view {Object} The object holding the data to render. @@ -108,26 +109,20 @@ qx.Class.define("qx.bom.Template", { // get the content stored in the DOM var template = document.getElementById(id); var inner = template.innerHTML; - + // apply the view inner = this.toHtml(inner, view, partials); - + // special case for text only conversion if (inner.search(/<|>/) === -1) { return inner; } - + // create a helper to convert the string into DOM nodes var helper = qx.bom.Element.create("div"); helper.innerHTML = inner; - - // use a document fragment to return more than one note - var docFragment = document.createDocumentFragment(); - for (var i = helper.childNodes.length - 1; i >= 0; i--) { - qx.dom.Element.insertBegin(helper.childNodes[i], docFragment); - }; - - return docFragment; + + return helper.children[0]; } } }); From e2d919a21492acbd97c4c8f430cef7193a5919b6 Mon Sep 17 00:00:00 2001 From: Chad Weider Date: Tue, 10 Apr 2012 16:00:25 -0700 Subject: [PATCH 5/6] Strict HTML escape. This replaces the soft escaping ('&' -> '&') with strict escaping ('&' -> '&amp;'). This new behavior matches that of Ruby and other Mustache implementations. Other points: - `dot_notation` currency is changed to use an ASCII character, since the JS interpreters did not appreciate unicode. - Forward slash is added to escape list c/o OWASP recommendations. --- mustache.js | 5 +++-- spec/_files/dot_notation.js | 4 ++-- spec/_files/dot_notation.txt | 4 ++-- spec/_files/escaped.js | 2 +- spec/_files/escaped.txt | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/mustache.js b/mustache.js index 641cebd..33694d0 100644 --- a/mustache.js +++ b/mustache.js @@ -86,11 +86,12 @@ var Mustache = (typeof module !== "undefined" && module.exports) || {}; "<": "<", ">": ">", '"': '"', - "'": ''' + "'": ''', + "/": '/' }; function escapeHTML(string) { - return String(string).replace(/&(?!\w+;)|[<>"']/g, function (s) { + return String(string).replace(/[&<>"'\/]/g, function (s) { return escapeMap[s] || s; }); } diff --git a/spec/_files/dot_notation.js b/spec/_files/dot_notation.js index c1295f5..17eb00e 100644 --- a/spec/_files/dot_notation.js +++ b/spec/_files/dot_notation.js @@ -7,8 +7,8 @@ var dot_notation = { return this.value * 0.2; }, currency: { - symbol: '€', - name: 'Euro' + symbol: '$', + name: 'USD' } }, availability:{ diff --git a/spec/_files/dot_notation.txt b/spec/_files/dot_notation.txt index d0e4707..08afa05 100644 --- a/spec/_files/dot_notation.txt +++ b/spec/_files/dot_notation.txt @@ -1,8 +1,8 @@

A Book

Authors:

  • John Power
  • Jamie Walsh

-

Price: €200 Euro In Stock

-

VAT: €40

+

Price: $200 USD In Stock

+

VAT: $40

Test truthy false values:

Zero: 0

diff --git a/spec/_files/escaped.js b/spec/_files/escaped.js index 7a8baef..903e559 100644 --- a/spec/_files/escaped.js +++ b/spec/_files/escaped.js @@ -2,5 +2,5 @@ var escaped = { title: function() { return "Bear > Shark"; }, - entities: """ + entities: "" \"'<>/" }; diff --git a/spec/_files/escaped.txt b/spec/_files/escaped.txt index 73ac5ce..be2f2e9 100644 --- a/spec/_files/escaped.txt +++ b/spec/_files/escaped.txt @@ -1,2 +1,2 @@

Bear > Shark

-But not ". +But not &quot; "'<>/. From 7864e65efbbb2ddcf8bb61c6eff53352b0c0576f Mon Sep 17 00:00:00 2001 From: wittemann Date: Mon, 4 Jun 2012 10:12:02 +0200 Subject: [PATCH 6/6] Updated the qooxdoo wrapper to reflect the render method. --- wrappers/qooxdoo/mustache.js.post | 2 +- wrappers/qooxdoo/mustache.js.pre | 12 +++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/wrappers/qooxdoo/mustache.js.post b/wrappers/qooxdoo/mustache.js.post index bd4b406..aba7af6 100644 --- a/wrappers/qooxdoo/mustache.js.post +++ b/wrappers/qooxdoo/mustache.js.post @@ -4,6 +4,6 @@ // EXPOSE qooxdoo variant qx.bom.Template.version = Mustache.version; -qx.bom.Template.toHtml = Mustache.render; +qx.bom.Template.render = Mustache.render; })(); diff --git a/wrappers/qooxdoo/mustache.js.pre b/wrappers/qooxdoo/mustache.js.pre index f1fce6d..fa37070 100644 --- a/wrappers/qooxdoo/mustache.js.pre +++ b/wrappers/qooxdoo/mustache.js.pre @@ -5,7 +5,7 @@ http://qooxdoo.org Copyright: - 2004-2011 1&1 Internet AG, Germany, http://www.1und1.de + 2004-2012 1&1 Internet AG, Germany, http://www.1und1.de License: LGPL: http://www.gnu.org/licenses/lgpl.html @@ -74,7 +74,7 @@ * For further details, please visit the mustache.js documentation here: * https://github.com/janl/mustache.js/blob/master/README.md */ -qx.Class.define("qx.bom.Template", { +qx.Bootstrap.define("qx.bom.Template", { statics : { /** Contains the mustache.js version. */ version: null, @@ -83,19 +83,18 @@ qx.Class.define("qx.bom.Template", { * Original and only template method of mustache.js. For further * documentation, please visit https://github.com/janl/mustache.js * - * @signature function(template, view, partials, send_fun) + * @signature function(template, view, partials) * @param template {String} The String containing the template. * @param view {Object} The object holding the data to render. * @param partials {Object} Object holding parts of a template. - * @param send_fun {Function?} Callback function for streaming. * @return {String} The parsed template. */ - toHtml: null, + render: null, /** * Helper method which provides you with a direct access to templates - * stored as HTML in the DOM. The DOM node with the given ID will be reated + * stored as HTML in the DOM. The DOM node with the given ID will be used * as a template, parsed and a new DOM node will be returned containing the * parsed data. Keep in mind to have only one root DOM element in the the * template. @@ -133,4 +132,3 @@ qx.Class.define("qx.bom.Template", { * Below is the original mustache.js code. Snapshot date is mentioned in * the head of this file. */ - \ No newline at end of file